Gillian Scribbins, data protection specialist at Muckle LLP, considers the Data Protection Bill and how it works with the new General Data Protection Regulation (GDPR).
The implementation date has been and gone; the GDPR is in full swing, but for many the hard work towards compliance will remain an issue that rumbles on. In amongst all this white GDPR noise is a supplementary piece of legislation that businesses need to be aware of too. The Data Protection Bill.
The purpose of the Bill has confused many. What the Bill is not, is a transposition of the GDPR into UK law. The GDPR takes direct effect in this country of its own accord. What the Bill does is support and extend on the provisions of the GDPR.
The Data Protection Bill (which will become the Data Protection Act 2018 once it has been enacted into UK law) and the GDPR will sit alongside one another. Being a European wide piece of legislation, the GDPR allows for autonomy on certain aspects of the Regulation to individual countries, known as derogations.
The Department for Digital, Culture Media and Sport has explained this should form a comprehensive and modern framework for Data Protection in the UK.’
Elizabeth Denham, the Information Commissioner, explains that: “Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime.
The Bill focuses on these public service and crime derogations, applying data protection law to areas that are not specifically covered by the GDPR. Where applicable, it expands on GDPR provisions so that they are directly relevant to UK citizens and organisations.
Key derogations include:
1. The minimum age to process data for an online service (called an information society’) without parents’ consent, which has been set at 13 in England and Wales.
The Bill does not impose a general age of consent for processing children’s data. As in the Data Protection Act 1998, a child is anyone under the age of 18, however they should be able to exercise their own data protection rights at the discretion of parents or guardians.
2. The specific powers and obligations of the UK’s data protection supervisory authority, the ICO, in the UK, which are set out in the Bill.
The Bill gives increased powers to the Information Commissioners Office (ICO), to enforce the higher fines on data controllers and processors that have been highly documented throughout the press in recent months, as well as multiple regulatory actions such as stop orders and dawn raids. This power now extends to bringing forward criminal proceedings for those preventing disclosure on a subject access request.
3. The exemptions of law enforcement processing or intelligence service processing, to which the GDPR does not apply.
These specific exemptions and conditions to the provisions of the GDPR are covered in detail by the Bill. Many of these are for the purposes of national security, which are unlikely to affect the majority of organisations. Other derogations may be more broadly applicable, for example the UK specific employment, health and research purposes on which special category data may be processed.
The Bill also aims to bring continuity, by ensuring legislation which interacts with UK data protection law will continue to have effect, such as the Freedom of Information Act. And politically, the government is keen to ensure that in a post-Brexit world, the UK data protection laws are in line with not only Europe but the world’s leading economies too. As the government estimates that data will benefit the UK economy by up to £241 billion between 2015 and 2020, protection of data is clearly integral.
While it cannot be doubted that the GDPR is the headline act, the Data Protection Bill tailors data protection to this country, so it can’t be neglected. Indeed, the Data Protection Bill is for solicitors a key point of call when seeking to clarify how the provisions of the GDPR may apply in practice.
Businesses need to be aware that post May there are still numerous challenges that await them for continued compliance. One of these challenges is a solid awareness of the Data Protection Bill and its impact.